Image courtesy; The Record
Recorded Dmitry Smilyanets, a future security specialist, revealed many messages on Twitter from ‘0 neday,’ a notorious REvil operator, explaining what happened on the cybercriminal site XSS. He claimed that the group’s Tor payment portal and data leak website had been taken over by a third party.
After the horrific attack on Kaseya infected hundreds of organisations worldwide and caused untold harm, REvil shut down in July. The group is one of the most active ransomware gangs today, having targeted hundreds of important firms and organisations in recent years.
However, following the July 4 attack on Kaseya, the gang came under intense law enforcement attention and stopped its operation on July 13. The organisation reappeared in September, continuing to attack dozens of businesses in recent weeks.
As per The Record, the group’s servers were shut down on July 13 after “Unknown” allegedly took their money and made it difficult for those that remained to pay affiliates.
Smilyanets informed the news organisation that he hoped the organisation had been shut down as a result of US law enforcement activities. Because of their activities during the REvil attack on Kaseya, the FBI and other US agencies have received significant flak in recent weeks.
The FBI claimed it had decryption keys that could have aided the almost 1,500 ransomware victims afflicted by the Kaseya attack, but chose against it because they were planning an attack on REvil’s infrastructure. The organisation shut down before the operation could be completed, and the FBI has been chastised by the affected groups and lawmakers for delaying the release of the decryption keys.
Bitdefender eventually provided a free decryptor to all of the Kaseya-affected organisations.
Experts had different reactions to the scenario, with some advising citizens not to trust criminals’ words. Others explained that the scenario made sense because REvil’s acts were being criticised by its own affiliates.
Recorded Future’s Allan Liska, a ransomware expert, told ZDNet that he had two possibilities in mind.
While some may doubt whether the internal strife within the gang is genuine, Liska believes it is, citing the internal strife that has enveloped other ransomware groups this year.
Despite the fact that the REvil operators have deactivated this specific group, Liska believes that everyone who was a part of the REvil organisation will continue to carry out ransomware operations.
REvil was already under scrutiny from the broader cybercriminal community, according to Sean Nikkel, a senior cyber threat intel analyst at Digital Shadows, because of the drama surrounding allegations of failing to pay those involved in its partnership programme and claims that it effectively cut out affiliates and shared decryption keys with victims.
The tone of the REvil’s forum posts, according to Nikkel, indicate that the group will be back in some form. However, they may have problems returning after advertising for affiliates with a 90/10 profit split, which is higher than the group has shared in prior years.
Chad Anderson, a senior security researcher at DomainTools, claimed that his team identified a backdoor in REvil’s RaaS product. After that, several REvil affiliates confirmed that the founders had defrauded them.
Brett Callow, an Emsisoft ransomware expert, was wary of what was said in the cybercrime forum, noting that it also serves as a press release service for ransomware gangs.